Pages

Saturday, August 10, 2013

This post is all about what I was unable to discuss during my talk at Defcon 21 "Powerpreter: Post Exploitation like a boss". In 45 minutes one can only highlight limited things, so this and some more posts would try to fill the gaps left during the talk.

Powerpreter is a powershell module. I decided to make it a part of Nishang as there is a large amount of repeated code. This post assumes that we have Administrative access to a Windows 7 machine. Powerpreter can surely be used as a non-admin user but obviously with limited (but still useful as seen in below examples) functionalities. Like other scripts in Nishang, I have tried my best to keep powerpreter compatible to powershellv2 so you may see some code which could be done by a cmdlet in powershellv3 and v4.

We can list help for each function by using help. For example to get help for Check-VM

Now, lets have a look at some of these methods/commands/payloads. Some of the payloads in powerpreter have already been explained in blog posts about Nishang. I will explain only couple of those and some new functionality in powerpreter:

Use Enable-DuplicateToken to escalate to SYSTEM and then use Get-PassHases or Get-LsaSecret depending on your requirement.

Let's see it in action from a meterpreter.

First we download the powerpreter. I use -encodedcommand option with powershell.exe in meterpreter to avoid any issues. StringtoBase64 in powerpreter could be used for this.

In case of Get-LsaSecret on 64-bit machine, 32-bit powershell needs to be run. So use this path for powershell.exe: C:\Windows\SysWOW64\WindowsPowerShell\v1.0 from powershell remoting session. But while using meterpreter if the process on target is 32-bit, no need to specifically call 32-bit powershell.

This backdoor can be controlled using a website whose content could be changed. Lets use pastebin for this.

It asks for four parameters. It keeps polling the url provided in CheckURL option for a string, provided in the Magicstring option. As soon as the string matches, it pulls a powershell script/command from PayloadURL.

Differents commands or scripts can be executed by changing the payloads in PayloadURL. After a sucessful execution, it waits for 60 seconds before polling again to avoid generating too much traffic.
The backdoor starts in a new process. With -exfil option, results of the backdoor could be exfiltrated.

This is how the backdoor process will look to naked eyes.

DNS TXT Backdoor
This backdoor uses DNS TXT records for receiving commands and scripts to execute as well as instructions to stop and start.

The backoor asks for various options. StartDomain is the one which would be polled by the backdoor for instructions. Three possibilities are present

If txt record at Startdomain matches cmdstring, the backdoor will query txt record of commanddomain to look for a oneline command and will execute it on the target.

If txt record at Startdomain matches psstring, the backdoor will look base64 encoded powershell script in txt record of psdomain.

If txt record of Startdomain matches stopstring the payload stops.

As in case of HTTP-Backdoor this backdoor also runs in a new process and could use -exfil option. The below example shows a usage of backdoor.

We executed Get-Service on the target and results were exfiltrated to gmail.

Now lets have a look at Keylogger. Unfortunately, this does not work from a powershell remoting session. Lets run it from a meterpreter session.

The keylogger logs keys to a file in user temp directory of the target. The logged keys could be parsed using Parse_Keys script in Nishang. If you use -exfil option and select gmail , the key.log file would be sent as an attachment to the given gmail id.To avoid sending same keys repeatedly, after 30 reads key.log is flushed out.

DNS TXT Code Execution
This payload could be used to pull shellcode from DNS TXT records. The shellcode is then executed in memory. We have to provide different domains for 32-bit and 64-bit shellcode. The payload will determine the architecture during execution and pull the shellcode accordingly.

We could use the command given in help of the payload to generate the shellcode using msf.

UPDATE: Since many of you asked - HTTP-Backdoor, DNS TXT Backdoor, Keylogger and DNS TXT Code Execution - all could be used by a non-admin user. Though to use powershell remoting we must have admin access to the remote machine, unless configured otherwise. So, if we have non-admin shell access to a machine we can still use above.

Special thanks to Lee Holmes for going through my ugly coding of powerpreter and suggesting changes.

Ok, that is enough in this post about Powerpreter. As powerpreter is going to be a part of Nishang, I would like to announce an updated version Nishang 0.3.0. Changes could be found in the CHANGELOG below.

12 comments:

Your PS scripts are awesome! i've taken them and tweaked several, thanks. However i can't get EnableDuplicateToken to work in vista/win7/2008 in 64 & 32 bit. Running powershell as admin, On most the 64bit systems, the script runs however my access stays the same. I'm still not system. Any advice?

i feel stupid now, i misunderstood how enableDuplicateToken worked. I didn't realize it was temporary and only for a command ran on the same line... anyways thanks, it works great lol.

my mods were mainly removing all the pastebin & tinypaste, though i did leave some of the gmail. However for gmail to work i had to mod the line to add the port: $smtp = new-object Net.Mail.SmtpClient($smtpServer,587 )

For the HttpBackdoor i have 2 main mods, 1 allows https with an invalid cert. 2 was to download the payload to a string and execute the string, vs download it to a file then run the file. Also then it'll run as a job and wait for it to stop vs wait 60 seconds

Regarding Enable-DuplicateToken, the beavior you mentioned is in a powershell remoting session. It sets the stolen token to current process thread and in case you try it on a machine from an interactive shell other than ps remoting (local access or an interactive powershell somehow), it will "elevate" the privileges till the life of calling thread.

Regarding your tweaks, thank you very much. I will test and make changes. I am always looking for contributors so let me know if you want to share something.

Awesome work! I have a question on your HTTP-backdoor code execution. Maybe I'm reading into it or i'm missing something, so hopefully you can help me out.

When using the HTTP backdoor, how does the code execution actually work? I understand how it downloads the script, but giving that script a command..how does that work? For example:

I host powershellscript for your powerpreter on http://pastebin.com/powerpreter.psm1

I use the HTTP-backdoor with a magic string, and it goes to my pastebin and downloads the powerpreter. How do I give the powerpreter commands, like Get-Information? Until I give the stopstring, does the powerpreter run in the same powershell instance, or does it spawn a new one each time.

Hope this wasn't too confusing. Just asking for a bit of guidance! Thanks!

It has been fixed. Please update your repo and try again. You should now be able to provide command like Get-Information with the -Arguments parameter while using script module like Powerpreter. To provide a different command, HTTP-Backdoor needs to be run again.

Although, for using multiple scripts as payload in a single run, you can change the script at PayloadURL while the HTTP-Backdoor is running on the target.Also, until stopstring is given, it runs in the same instance of PowerShell.

Hey Nikhil,I read your blog on Nishang but I am unable to get it work.Can you please help me as it is troubling me a lot and its urgent..https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1